Date: Fri, 7 Jan 2022 03:39:03 -0800 From: Mark Millard <marklmi@yahoo.com> To: freebsd-current <freebsd-current@freebsd.org> Subject: FYI: An example ASAN failure report during kyua test -k /usr/tests/Kyuafile Message-ID: <E9CC5153-2F34-4BC5-B764-A31A504318D1@yahoo.com> References: <E9CC5153-2F34-4BC5-B764-A31A504318D1.ref@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Having done a buildworld with both WITH_ASAN=3D and WITH_UBSAN=3D
after finding what to control to allow the build, I installed
it in a directory tree for chroot use and have
"kyua test -k /usr/tests/Kyuafile" running.
I see evidence of one AddressSanitizer report. (kyua is still
running.) The context is:
# more =
/usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stdout.txt=20=
Executing command [ mkdir /tmp/kyua.FKD2vh/434/work/mntpt ]
mount -t tmpfs -o size=3D10M tmpfs /tmp/kyua.FKD2vh/434/work/mntpt
Executing command [ touch a ]
Executing command [ rm a ]
Executing command [ dd if=3D/dev/zero of=3Da bs=3D1m count=3D15 ]
Executing command [ rm a ]
# more =
/usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stderr.txt=20=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D14384=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on =
address 0x7fffffffa948 at pc 0x000801f38f5a bp 0x7fffffffa830 sp =
0x7fffffffa828
WRITE of size 8 at 0x7fffffffa948 thread T0
#0 0x801f38f59 in strtoimax_l =
/usr/main-src/lib/libc/stdlib/strtoimax.c:148:11
#1 0x10de6c8 in strtoimax =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:3441:18
#2 0x11a4723 in getq /usr/main-src/bin/test/test.c:560:6
#3 0x11a4523 in intcmp /usr/main-src/bin/test/test.c:584:7
#4 0x11a4523 in binop /usr/main-src/bin/test/test.c:351:10
#5 0x11a2f06 in primary /usr/main-src/bin/test/test.c:317:10
#6 0x11a2f06 in nexpr /usr/main-src/bin/test/test.c:275:9
#7 0x11a28cb in aexpr /usr/main-src/bin/test/test.c:261:8
#8 0x11a2a03 in aexpr /usr/main-src/bin/test/test.c:263:10
#9 0x11a228b in oexpr /usr/main-src/bin/test/test.c:247:8
#10 0x11a1fcf in testcmd /usr/main-src/bin/test/test.c:224:10
#11 0x1145289 in evalcommand /usr/main-src/bin/sh/eval.c:1107:16
#12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#13 0x113fb34 in evaltree /usr/main-src/bin/sh/eval.c:225:4
#14 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
#15 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#16 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#17 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4
#18 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#20 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#21 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#22 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c
#23 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3
Address 0x7fffffffa948 is located in stack of thread T0 at offset 264 in =
frame
#0 0x801f387ff in strtoimax_l =
/usr/main-src/lib/libc/stdlib/strtoimax.c:58
This frame has 1 object(s):
[32, 36) '__limit.i.i.i' <=3D=3D Memory access at offset 264 =
overflows this variable
HINT: this may be a false positive if your program uses some custom =
stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow =
/usr/main-src/lib/libc/stdlib/strtoimax.c:148:11 in strtoimax_l
Shadow bytes around the buggy address:
0x4ffffffff4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff500: f1 f1 f1 f1 00 00 00 00 f1 f1 f1 f1 f8 f3 f3 f3
0x4ffffffff510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x4ffffffff520: 00 00 00 00 f3 f3 f3 f3 f3[f3]f3 f3 00 00 00 00
0x4ffffffff530: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
0x4ffffffff540: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00
0x4ffffffff550: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x4ffffffff560: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x4ffffffff570: f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07=20
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
=3D=3D14384=3D=3DABORTING
Files left in work directory after failure: mntpt, mounterr
=3D=3D=3D
Mark Millard
marklmi at yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E9CC5153-2F34-4BC5-B764-A31A504318D1>